Google doubles Chrome’s top bug bounty to $100k

Google has doubled its top security bug bounty under its Chrome Reward Program to $100,000 but it’s doubtful anyone will actually claim the prize.

Google runs the program to encourage security researchers across the world to help secure its software by finding bugs and, importantly, reporting them to Google rather than selling them to brokers who might on-sell the knowledge to buyers who use them for offensive purposes.

Last year alone Google paid researchers more than $2 million, amounting to roughly a third of the $6 million its paid since launching the its bug bounty program six years ago.

Still, the search firm has acknowledges that “dark corners of the Internet” may pay more for bugs than it does, but argues that these shady offers come with strings attached, such as the fact the exploit could be used to harm people and that researchers may be contractually obliged to never publicly discuss the bug. Google on the other hand offers a decent wad of cash and public acknowledgement.

Google offers up to $15,000 for bug reports affecting its Chrome browser, but it also has a higher tier or a “standing reward” for some bugs that affect Chrome hardware. It’s this reward that Google has doubled today.

Google last year introduced a $50,000 standing reward that sought reports of remotely exploitable vulnerabilities on Chromebooks and its business conference device, Chromebox.

The rules of the standing award have not changed but as of Monday its reward page has been updated with the new figure: “We have a standing $100,000 reward for participants that can compromise a Chromebook or Chromebox with device persistence in guest mode (i.e. guest to guest persistence with interim reboot, delivered via a web page).”

“Last year we introduced a $50,000 reward for the persistent compromise of a Chromebook in guest mode. Since we introduced the $50,000 reward, we haven’t had a successful submission. That said, great research deserves great awards, so we’re putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool,” Google announced in a blog post.

Google has also introduced is new category called “Download Protection Bypass”, for bugs that allow an attacker to bypass download protection features of Chrome’s Safe Browsing technology. Safe Browsing protects Chrome users against malware and potentially unwanted applications.

Read more: Security, privacy dominate businesses' cloud concerns as technical worries fade

The category adds a new bottom tier to the rewards program and Google is offering up to $1,000 for reports affecting the feature.


Last chance to register for the CSO Perspectives Roadshow on March 22nd.

  • Hear from International keynote speakers:Robert Lentz, and Graham Cluley,
  • A Security Awareness stream
  • 18 different interactive Security Exchange discussions

Join CSO for a day of networking with your peers, engaging and discussing topics relevant to you, hearing from some of the top worldwide IT Security leaders in the market and attending the exhibition floor to win some amazing prizes.

Participate in this short survey on IT security strategies across the Australian market and go in the draw to WIN a 360Fly camera vailued at $689.

Start survey NOW

Join the CSO newsletter!

Error: Please check your email address.

Tags security bugexploitable vulnerabilitiesBug bountyGooglesecuritychromebookIoTchromeCSO Australiachromebox

More about CSOGoogleIT Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts

Market Place